Program history
This public bug bounty history page was added on June 25, 2026 to make the review process visible to agents, developers, and users. Submission counts and remediation history will be updated as reports are received and resolved.
Bug Bounty
Stackit treats audits as one trust layer, not the only trust layer. Our current approach combines limited permissions, public fee rules, sandbox testing, bug bounty review, policy-based automation, and user self-rescue paths.
Last updated June 25, 2026
This public bug bounty history page was added on June 25, 2026 to make the review process visible to agents, developers, and users. Submission counts and remediation history will be updated as reports are received and resolved.
Report security issues to support@stackit.ai with a concise reproduction, affected route/tool, expected impact, and safe proof. Do not include private keys, seed phrases, production customer data, or destructive exploit steps.
Policy checks, unsigned transaction preparation, relay flow, replay protection, and wallet-sovereign assumptions.
Public demo endpoints, sandbox endpoints, auth boundaries, typed safety errors, idempotency, and rate limits.
Tool schemas, tool-call boundaries, auth-required behavior, and prompt-injection-sensitive responses.
Misleading safety copy, broken recovery paths, exposed sensitive data, or instructions that could cause unsafe execution.
| Submissions received | Not yet publicly reported |
|---|---|
| Valid issues | Not yet publicly reported |
| Critical severity | None publicly reported |
| High severity | None publicly reported |
| Fix history | Published fix notes will be added here as valid bounty reports are remediated. |
A bug bounty does not guarantee safety. It complements scoped permissions, public fee rules, sandbox testing, policy-based automation, self-rescue docs, internal review, and future third-party audits.
Stackit.ai is not currently presenting a completed third-party smart contract audit. Audit scope, firm, date, findings, and remediation notes should be published as that layer is completed.